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Atty. Docket No.: 3033-0 155P 
METHOD AND SYSTEM FOR RISK CONTROL OPTIMIZATION 

Field of the Invention 

The present invention is directed to a method and system of 
selecting an optimal set of management and risk controls for a given set 
of risks within a variable control budget. Specifically, optimization 
according to the present invention is defined using a method and system 
to calculate the greatest reduction in an organization's risk exposure with 
the minimum investment in cost and time as measured by the economic 
value added of the risk system change. 

Background of the Invention 

Organizations exist for a purpose. They have a vision, goals and 
specific objectives aimed at achieving the goals and realizing the vision. 
Risks are those factors that jeopardize the achievement of the 
organizational objectives, goals, or vision - that create uncertainty that 
the desire results will be achieved. Organizations must identify risks that 
put their objectives in jeopardy and deploy controls to reduce the risk 
exposure. 

Risks are created by underlying hazards. Risk is the measure of 
the uncertainty in both time and severity that a hazard will cause a loss. 
The proper measure for risk is exposure, which is the product of the 
probability of the loss and the severity of the loss. Since risk is a 
stochastic phenomena, the best representation of risk is a loss 
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distribution function showing the probability of various severities of loss. 

Figure 1 shows a sample risk distribution for a single hazard. The 
total risk is equal to the area under the curve, the sum. of all the 
individual probabilities(Likelihood) times severity(Size of single loss). 
5 Risk controls operate to reduce the area under the curve. However, these 
risk controls have an associated cost. In an ideal world the resources 
available for risk control are infinite and risks can be reduced to zero. In 
the real world, resources are limited. The risks can only be reduced to 
zero by abandoning the objective and a balance must be struck between 

1 0 the "good" to be achieved and the cost of risk controls and potential loss 

from the residual risk (risk remaining after risk controls are applied). 

Furthermore, realization of the organizational vision requires the 
achievement of numerous objectives, all exposed to a vast number of 
different risks that need to be managed by a complex array of risk 

15 controls. Currently, most organizations manage these risks utilizing 
disconnected processes that are controlled by different functional areas 
within the organization. Evaluation by the organization's senior 
management of the efficiency and effectiveness of these various risk 
management efforts is hampered by at least two shortcomings. 

20 Management is hampered by the lack of consistent methods for (a) 

identifying and measuring the risk exposures and (b) measuring the 
performance of the associated risk controls. This makes it extremely 
difficult for the organization to set priorities and to achieve an optimal 
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allocation of resources toward risk control across the entire enterprise. 
This failure to establish an integrated enterprise-wide risk management 
system exposes an organization to two potentially dire consequences. 

First, a major risk may be overlooked that will prevent the 
5 achievement of the organization's objectives. Second, resources will be 

wasted on inefficient and/ or ineffective risk control efforts. 

One of the necessary and primary objectives of any organization is 
that economic value be added. The organization's efforts need to create 
additional economic value or the organization will eventually exhaust its 
10 capital and wither away without having realized its vision. This is true of 

all organizations whether they be private or public corporations or non- 
corporate organizations. 

One measure of economic performance is Stern Stewart & Co.'s 
Economic Value Added (EVA™) methodology. The basic theory states 
15 that economic value is added when future revenue cash flows exceed the 

expense and capital cash flows necessary to produce the revenue, more 
simply stated: 

EVA™ = Operating Profit (OP) - Cost of Capital (CC) , where 
Cost of Capital (CC)= Capital x Cost of Capital Rate (C*) 

20 Operating Profit can be further broken into two components: 

Operating Profit (OP) = Operating Revenue (OR)- Operating Expense (OE) 

So that the Economic Value Added (EVA) becomes: 
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EVA™ = (Operating Revenue - Operating Expense) - (Capital x C*) 
= (OR-OE) - (Capital x C*) 

The aforementioned methodology requires that all of the cash flows 
should be adjusted for taxes, time and risk. The EVA™ methodology was 
5 originally developed as a performance metric for explaining the valuation 

of public stocks. Stern Stewart & Co. has further expanded its 
application as a guide for large-scale resource allocation when 
considering "profit center" investments and as the basis for tying 
management compensation to increases in shareholder value. 

10 Before an organization can evaluate the performance of risk 

controls it must first identify and measure the risk exposures. This is a 
large, complex task, since organizations are faced with a huge number of 
hazards that generate varying degrees of risk exposure. Organizations 
generally divide responsibility for various risks among different functional 

15 groups within the organization in order to manage these risks. 

The basis for the distribution of the responsibility varies from 
organization to organization and within the same organization. In many 
instances a functional group will be responsible for managing the risks 
that jeopardize the operations that they are responsible for. An example 

20 is the responsibility of the treasurer for the foreign currency exchange 

risk. In other instances a manager will have responsibility for risks that 
span across multiple functional areas where the manager does not have 
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responsibility for the underlying operations. An example is the 
environmental manager whose is responsible for managing the 
environmental risks across the entire organization. Frequently 
responsibility is shared for various portions of the basic risk management 
5 process even if the distribution of responsibility is not well defined. 
Figure 2 shows a basic risk management process of the related art. 

Due to the historical distribution of responsibility for managing 
risks to isolate functions, the methodologies developed for the 
identification and measurement of risks vary greatly in their design, 

10 assumptions and outputs. Often management of the risks is performed 
using arcane technical language that varies from one functional area to 
another. Although the managers of these various risk are generally 
aware that the risk exposure has a probability and a severity component, 
they rarely use exposure to measure the risks and even more rarely use 

15 loss distribution functions to define the risk exposures. 

Normally the manager considers the issues of probability and 
severity separately. Accordingly, sufficient data to define the loss 
distribution function is rarely available. This makes it extremely difficult 
for organizations to place consistent valuations on the risks and 

20 subsequently to determine how to optimize the allocation of resources 
across the entire enterprise. Frequently resources are allocated based 
upon either (a) Historical happenstance, i.e. the organization is aware of 
a recent large loss that increases its sensitivity to the risk associated with 
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a particular hazard; or, (b) The organizational strength of the manager, 
i.e. a strong manager gathers more resources within the organization. 

More sophisticated managers use various subjective ranking 
systems to order the relative severity, probability and control cost. 
5 Labels are attached to each hazard indicating a subjective valuation of 

the severity and probability. For example severity may be ranked as 
"high", "medium", or "low". Probability may be ranked as "certain", 
"likely", "unlikely", or "rarely". The cost to control the risk is similarly 
ranked as "high", "moderate" or "low". A few of the ranking methodologies 

10 attempt to apply across all risks in the organization, but without 

establishing consistent operational definitions and measurement 
methodologies across the various functional areas. "High" and "Likely" 
frequently mean different things to different people. These methodologies 
also do not recognize the interdependencies that exist between various 

1 5 risk controls, nor do they tie back to the question of whether economic 

value is being created by the risk control efforts. 

A few organizations use sophisticated mathematical analysis to 
define loss distribution functions for risks within a particular functional 
area. These efforts, however, are restricted to a handful of risks due to 

20 the effort to rigorously define the loss distribution functions. Currently 

there are a number of historical forces at work that are moving 
organizations toward a more systematic management of risks across the 
entire enterprise. Broadly speaking these are: 
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• The Corporate Governance movement, 

• COSO's (Committee of Sponsoring Organizations) Internal 
Control - Integrated Framework, 

• The 1991 Federal Sentencing Guidelines for Organizations, 
5 • The Imperatives of World Class Performance 

Under the Stern Stewart & Co. methodology, a company will often 
allocate resources to activities that produce the greatest EVA and will 
reward those managers who generate EVA. Activities and managers, 
who do not produce EVA, will be easily identified and will provide a 

10 company with the opportunity to free up capital and direct it towards 

those who utilize it most effectively. 

EVA analysis was first applied to decisions regarding investments 
in the context of "profit centers." For instance, managers are now asked 
in advance to evaluate the efficacy (i.e. does the activity produce positive 

15 EVA) of expanding production capacity for a particular product line? 

Similarly, EVA is now being applied to "cost centers" as well. Managers 
of "cost centers" are being asked to justify new activities or even the 
existence of their function on the basis of EVA. 

At first glance this may seem difficult because by definition a "cost 

20 center" does not generate revenue and it would appear that only a 

reduction in the operating expense and capital requirements to zero 
would improve the situation. According to the EVA methodology, the 
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best result that can be achieved with respect to a cost center is a 
reduction in its negative impact on EVA. Therefore, a cost center or 
activity lacking revenue generating capabilities, would seemingly lack the 
ability to achieve a positive EVA. 
5 For example, consider the annual cost of preventative maintenance 

on a piece of machinery. The expenditure of capital to maintain the piece 
of machinery does not produce new revenue nor does it decrease the 
operating expense. Therefore, the conventional EVA methodology teaches 
that managers should evaluate the impact of preventative maintenance 

10 activities on EVA as producing a negative result. However, it appears 

that the wrong questions are being asked in the evaluation of the 
Economic Value Added. 

The division of a productive system into "profit" and "cost" centers 
is an arbitrary allocation of operating revenues to only a portion of the 

15 system that is required to produce and sell the product or service to the 

customer. For example, the evaluation of an investment in a new piece of 
machinery reveals the following: 

(1) An initial capital outlay either produces a new revenue stream 
with a given operating cost over the life of the machine, or 

20 (2) The initial capital outlay replaces an existing revenue stream at 

a reduced operating cost or 

(3) A combination of the two. 

In either case, one must be careful to capture the total operating 
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expense over the lifetime of the machine. In order to capture the total 
operating expense over the lifetime of the machine, an accurate 
evaluation should include the preventive maintenance cost necessary to 
keep the machine productive over its expected lifetime. 

Cash flows equally need to be adjusted for risk. However, 
methodologies and systems of the background art fail to provide a single 
system that offers the operator or manager the ability to accurately 
assess the Economic Value Added of all activities within an organization. 

For instance, cost allocation and activity-based costing are 
additional examples of accounting systems that assign or link some 
cost(s) with related cost objectives. Salaries for a group of employees in 
an operating unit are indicative of costs (salaries) associated with the 
maintenance of a cost objective (the operating unit). Similarly, raw 
materials costs are often assigned or allocated to a product or group of 
products (cost objective). However, as in all of the foregoing examples, 
the preventative maintenance costs associated with a machine in an 
manufacturing process would be considered "negatives" under all of the 
previous approaches. 
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Summary of the Invention 

The present invention overcomes the shortcomings associated with 

the approaches of the prior art and achieves other advantages not 

realized by the prior art. 

5 An object of the present invention is to provide organizations with a 

method and system for consistently identifying and measuring risks 

across the entire enterprise or any subpart of the enterprise. 

A further object of the present invention is to provide organizations 

with a method and a system for identifying potential controls for any 

1 0 given set of identified risks. 

A further object of the present invention is to provide a method and 

system for evaluating the economic value added of risk controls. 

A further object of the invention is to provide organizations with, a 

method and system for selecting risk controls, setting control priorities, 

15 and establishing an optimal control budget so that the economic value 

added is maximized. 

An object of the present invention is to integrate management 

controls and risk controls into a single system or methodology that will 

provide managers or operators with a tool to most efficiently allocate an 

20 organization's resources. 

These and other objects are accomplished by a method for 
optimizing a selection of risk controls based upon maximizing the 
economic value added within a client's given risk control budget, wherein 
said method comprises the following steps: identifying and measuring 
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risks; creating at least one risk control system based upon said risks; 
determining the economic value added of each risk control system; and 
selecting an optimal risk control system that has a maximum economic 
value added based upon the determining step. 
5 These and other objects are further accomplished by a computer- 

based data processing system to enable an operator to create a risk 
control system providing a maximum economic value, wherein said 
system comprises: means for storing risk models, wherein said risk 
models include risks and corresponding risk exposures; means for 

10 storing specific risk control models further classified and arranged by at 

least industry type, organizational structure, and functional segments 
within each industry type; means for storing management risk control 
models further classified and arranged by at least industry type, 
organizational structure, and functional segments within each industry 

15 type; means for developing risk control systems by combining said 
specific risk and management risk controls into at least one client 
specific risk control system; and means for determining an optimum risk 
control system by calculating an Economic Value Added (EVA) of each 
client specific risk control system so that said operator can select the 

20 optimum risk control system that demonstrates a maximum Economic 

Value Added (EVA). 

Advantages of the present invention will become more apparent from 
the detailed description given hereinafter. However, it should be 
understood that the detailed description and specific examples, while 

25 indicating preferred embodiments of the invention, are given by way of 
illustration only, since various changes and modifications within the spirit 
and scope of the invention will become apparent to those skilled in the art 
from this detailed description. 
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Brief Description of the Drawings 

The present invention will become more fully understood from the 
detailed description given herein below and the accompanying drawings 
which are given by way of illustration only, and thus do not limit the 
5 present invention. 

Figure 1 is a graphical representation of a sample risk distribution 
for a single hazard and the resulting effects of risk controls; 

Figure 2 is a basic block diagram depicting a basic risk 
management process found in the related art; 
10 Figure 3 is an organizational chart of a typical manufacturing 

company; 

Figure 4 is a flow chart of a methodology according to an 
embodiment of the present invention; 

Figure 5 is a flow chart of a portion of the methodology shown in 
1 5 Figure 4; 

Figure 6 is a flow chart of a portion of the methodology shown in 
Figure 4; 

Figure 7 is a flow chart of a portion of the methodology shown in 
Figure 4; and 

20 Figure 8 is a flow chart of a portion of the methodology shown in 

Figure 4. 

Detailed Description of Preferred Embodiments 

Figure 3 shows a partial organizational chart of a manufacturing 
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company. Each department of the company is further broken down into 
activities or functional segments. The maintenance department within 
the factory- service department of the company would be involved in daily 
activities that affect the performance of each of the remaining 
5 departments. However, many systems in the background art would focus 

on the decisions and budget of the maintenance department as primarily 
being a "cost center." 

The present invention provides a method and system that 
effectively calculates what the economic value added is of individual 

10 activities and processes throughout the entire organization, such as the 
maintenance department. The present invention provides the specific 
utility of integrating management and risk controls, whether applied by 
the president or the manager of the maintenance department, into a 
single system that can be applied to the individual functional segments 

15 (i.e., toward an individual maintenance procedure). The results are 

indications of the economic value added of each activity, process, or 
department that operates within the company's organizational structure. 

Example #1: Deriving EVA for a Safety System 

As seen in the following example of the present invention applied 
20 toward an individual machine in a manufacturing process, the present 

invention provides an opportunity to calculate the real economic value 
added to a company and directly/ indirectly resulting from the allocation 
of resources toward an activity. For instance, without preventive 
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maintenance efforts, the expected lifetime of a machine is shorter and the 
probability that the expected revenue will be achieved is less. As 
discussed with respect to the background art, an evaluation of the cash 
flows without consideration or alleviation of risk produces estimates that 

5 are likely to be inaccurate. 

The EVA impact of preventative maintenance can only be answered 
as part of a larger question involving the original investment in the 
machine. Similarly, the capital resources expended to maintain a safety 
management program are analogous to the capital expended on 

0 preventative maintenance. The whole question of safety efforts and EVA 

are more properly part of a larger question concerning the EVA 
calculation on the productive system in which the investment was 
originally made. 

Employees or producers are additional necessary assets in a 
5 productive system. The protection of these productive assets is a 

necessary operating expense as well that would likely be viewed as a cost 
center without the possibility of generating a positive EVA. 

It is often helpful when examining a productive system to focus on 
a particular set of processes and treat those processes as an 
0 "independent" subsystem that provides inputs to the rest of the 

productive system. 

Examples in a typical organization, as seen in Fig. 2, include the 
maintenance department and its preventative maintenance program; the 
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purchasing department and its system for procuring raw materials; the 
human resource department (Personnel) and its hiring processes; and the 
safety/ inspection department and its safety system. However, each of 
these subsystems, despite their individual characteristics and 
5 requirements, is not truly separate from and "independent" of the total 

productive system. 

When analyzing the safety system as an "independent system", it is 
important to capture all of the cash flows in both the safety system and 
the productive system. Due to the lack of safety management, a certain 
10 level of anticipated operating expense for workers compensation, lost 

production efficiencies and governmental fines over the lifetime of the 
productive system, must be factored into the base EVA calculation for a 
productive system. 

We can then evaluate the EVA impact of establishing a safety 
1 5 system by examining the impact of the system upon the base operating 

expense of the "non-safety managed " productive system versus the 
"safety managed" system. The EVA of the safety management system is 
the reduction in the productive system operating expense minus the cost 
necessary to implement the safety management system. 
20 Considering the basic EVA formula: 

EVA = (OR-OE)at- CC 

OR = Operating Revenues 
OE = Operating Expenses. 
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AT - Indicates that the calculation of Net Operating Profit must be 
adjusted for taxes 

CC = Cost of Capital = Capital (C) x Capital Rate (C*) 

Note that the cost of the investment shows up in two areas, OE & CC. A 
5 capital expenditure will have a depreciation component in OE and a cost 
of capital component in CC. However, this is not a double accounting. 
The capital is consumed over a period of time and allowance for its 
replacement is provided by the depreciation component. The true cost of 
the capital is the blended cost of debt and equity. 

10 A breakout of the EVA factors associated with a Safety System will 

aid in considering the impact of the Safety System on the Total 
Productive System. The superscript "P" designates cash flows associated 
with the total Productive System and the superscript "S" designates cash 
flows associated with the Safety System in the following formulas 

15 demonstrating the effects of the Safety System on the Total Productive 

System: 

EVA = ([OR p + OR**] - [OEP + OE s ] )at-[CC p + CO*] 

Since the only subsystem that generates changes in revenue is Sales, one 
can set the Total Revenue, TR, equal to [OR p + OR s ], as a constant. 

20 EVA = (TR - [OEP + O^at - [CC P + CC* 5 / 

The next step is to measure the cost of the current safety (cs) system 
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(OE s cs & CC s cs). The "CS" subscripts denote cash flows associated with 
the current safety system; the "NS" subscripts denote cash flows 
associated with the productive system without the safety system; and the 
"I" subscripts denote cash flows associated with improvements to the 
5 safety system. 

Next, the safety risk cost of the productive system being served by 
the current safety program (RC p cs) is measured. The safety risk cost of 
the productive system without the safety program (RC p ns) is then 
estimated. However simplified these steps may appear conceptually, one 
1 0 of ordinary skill in the art will appreciate that this is not a trivial exercise. 

The AEVA (AEVA^s) Q f the Current Safety System is the difference 
between the Productive System EVA without a Safety Subsystem (EVA p N s) 
and the Productive System EVA with the current Safety Subsystem 
(EVA p cs), in summary the AEVACS i s defined by: 

1 5 AEVACS = (EVA^cs)- (EVA% S ) 

The productive operating expense can then be separated into the Risk 
Cost component (RC P ) and all other operating expenses (AOE p ) 

EVA p cs = (TR - [AOEPcs + RCPcs + OEScs]) a t - [CC p cs + CCS C s] 

EVA p ns = (TR - [AOE p ns + RC p ns)AT - [CCPns) 
20 wherein OE s ns & CC s ns = 0 

Since the only impact on the cost of capital of adding a safety system is 



17 



Atty. Docket No.: 3033-0 155P 

the addition of the capital cost of the safety system, CC p cs = CC p ns. 
Therefore 

AEVACS = ([AOEPns - AOEPcs] + [RCPns - RCPcs] - OES CS )at - CCS CS 

AOE p ns - AOE p cs = Improvements in the Productive System 
Efficiencies, due to the introduction of better work methods and/ or 
equipment to prevent injuries. We frequently find such improvements 
when introducing ergonomic improvements. 

RC p ns - RC p cs = Reductions in the Risk Cost. This would include 
reduced workers' compensation cost incurred for injured employees, 
reducing lost productivity efficiencies for injured employees on restricted 
duty and replacement workers and avoidance of fines that would be 
incurred in the absence of a safety system. 

OE s cs and CC s cs are the total cost of the safety system. 

Since a decrease in the expenses results in an increase profit, thus an 
increase tax, we can make the tax adjustment by multiplying the expense 
adjustments by (1 - Corporate Tax Rate). The final formula for safety 
EVAS is: 

AEVAcs = {(([AOEPns - AOEPcs] + [RC p ns - RCPcs] - OEs CS )« (1-CTR)}_ [Cs C s • C*] 

Similar reasoning shows that the AEVA for safety improvements is: 
AEVAcs = {([AOEPcs - AOEPis] + [RC p cs - RC p is] - OESis)* (1-CTR)}- [C s is • 
C*] 

18 
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where 

[AOE p cs - AOE p is] is the efficiency gain in the general productive 
system, 

[RC p cs - RC p is] is the reduction in risk cost, 
5 OE s is, is the annual operating expense required for the safety 

improvement, 

CTR is the corporate tax rate, 

C s is is the capital cost of the safety improvement and 
C* is the cost of capital rate, 

10 In summary, the change in EVA associated with an improvement in 

the safety system is equal to 

• Any improvements in the productive system efficiencies, plus 

• The reduction in risk cost, minus 

• The expense cost of the safety improvement, 
15 -All adjusted for tax, minus 

• The cost of capital for any capital cost associated with the safety 
improvement. 

EXAMPLE #1: ECONOMIC VALUE ADDED OF CHANGES TO A SAFETY 
SYSTEM 

20 As an example consider a change in work layout and the addition 

of lift tables to control a material handling risk on an assembly line. 
If the assembly line generates $10,000,000 in sales per year. 
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Operating profit is $500,000. 

Materials and Supplies cost $4,500,000. 

Labor costs are $3,500,000. Safety Risk Costs are $500,000. 

Other GA&O are $1,000,000. 
5 The corporate tax rate is .38 and the cost of capital rate is .095 

The work layout redesign and lift tables have a capital cost of 
$200,000 and an expected lifetime of five years. $40,000 in annual 
depreciation and COis = $200,000 x .095 = $19,000 (cost of capital of 
the improvements). 

10 There is an 80% probability that the safety improvements will 

reduce the safety risks costs by $200,000 per year, resulting in a 
$160,000 reduction in exposure (Probability of Success x Risk Costs= 
0.80 * 200,000). 

In addition we expect a 5% reduction in labor cost because of the 
15 improved layout and ease of handling materials equal to $175,000. 

Accordingly, to calculate the AEVA IS for the expected five year 
lifetime of the investment we layout the EVA cash flows for each of the 
five years. 

Year One EVA = [$175,000 + $160,000 - $40,000] x .62 - $19,000 
20 = $163,900 

Year Two EVA = $163,900 
Year Three EVA = $163,900 
Year Four EVA = $163,900 
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Year Five EVA = $163,900 
The net present value of these cash flows using a 9.5% discount rate is 
$629,328.27. 

Therefore, the AEVAis = $629,328.27, and if the stock price 
5 earnings ratio is 21, then the Market Value Added (MVA) is $13, 215, 

894. 

OPTIMIZING THE ECONOMIC VALUE ADDED OF RISK CONTROLS 

The present invention involves a methodology for selecting a set of 
risk controls that provides the optimal economic value added for a given 
10 control budget. The present invention relies on the following unique 

combination of features to produce a risk optimization method, system, 
and software that maximizes the economic value added of each functional 
segment of an organization: 

Risk Identification and Quantification 

15 One aspect of the present invention provides assistance in 

identifying risks at multiple levels of an organization from an 
organization-wide analysis to a narrowly focused study of specific 
functional area such as environmental or treasury risk. The present 
invention provides exposure benchmark data to assist in quantification of 

20 the risks for clients or organizations that have not attempted similar 

analysis in the past. This is accomplished by the pre -development of risk 
models according to various business classes and functional segments. 



21 



Atty. Docket No.: 3033-0 155P 

For instance, risk models for a variety of safety measures common within 
the paper manufacturing industry can be created, stored and reapplied 
across multiple organizations or departments within the same industry 
group or class. 

5 Management System Support 

A management system approach to risk that greatly enhances 
control effectiveness and reliability is further integrated into the present 
invention. This enables senior management to develop a proactive 
strategy designed to facilitate organizational goals, rather than respond 
10 in a reactive mode to demands from an outside party such as an 
insurance company or government agency. The approach is in 
conformity with the COSO framework and various governmental 
standards regarding risk management. 

Client Customizable 

1 5 Any of the risk or management models developed or applied in the 

present invention, must allow client interaction, editing, and 
customization. This allows a client or manager the ability to define 
critical "value" parameters and to customize the risk and control model to 
fit their unique culture and situation. This is especially important as 

20 risk/ management control models proposed in the present invention may 

be generic to the industry type or business class. By allowing the client 
or individual manager to structure their risk management system 
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according to their own prioritized goals and experiences, the present 
invention will permit risk models that most accurately represent the 
unique characteristics of each organization or company. 

Classification of the Client Market 

The risk modeling and risk control optimizing methodology is 
designed so that it can meet the needs of many different segments of the 
client market. There are at least four ways of segmenting the client 
market that are useful for evaluating client demand: 

Industry class - the system allows a client/ operator to model risks 
and their associated control sets for different industry classes, such as 
general manufacturing, healthcare, transportation, telecom, utilities, etc. 

Client size/ complexity classes - The client market can be further 
divided based upon market size or revenue. For instance, the client 
market can be divided into four (or more broadly or narrowly if desired) 
size/ complexity segments, which are roughly categorized by their sales 
value: 

1. Major Risk Management (>$5 billion) 

2. Risk Management ($1-5 billion) 

3. Middle Market ($.25 - 1 billion) 

4. Commercial lines (<$.25 billion) 

Client Internal Organizational Customers - the system also allows 
an operator to structure/ modify individual risk models so that they meet 
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the needs of different customer segments within a client's organization. 
These customer segments might include A Board of Directors, Internal 
Auditers, Executive Management, Chief Compliance Officers, Various 
Functional Managers (Risk Managers, Environmental Managers, Safety 
5 Managers, Fleet Managers, Property Managers, etc.) or Department 

Heads. 

Country Classification - The country in which the customer is 
located will have an impact on perceived need and value. Countries such 
as Canada, Australia, New Zealand, Great Britain have regulatory 

10 requirements for corporate governance and risk management that work 

to highlight the need for better risk identification and a management 
system approach to risk controls. To a lesser extent in the United States 
the accounting profession, large stockholders and various legal and 
regulatory agencies are also highlighting the need for better risk 

15 identification and a management system approach to risk controls. 

Various tax structures may be present according to the country in which 
an individual company resides or operates that may severely affect the 
manner in which Economic Value Added can be calculated. 

Furthermore, it is assumed that these aforementioned 

20 classifications will not be limiting of the possible organization or 

structure of the methodology or system according to the present 
invention. For instance, clients may desire that risk controls and 
management controls be classified by their duration (time it takes to 
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implement a measure, short term versus long term strategies), labor 
requirements (labor intensive or not), etc.... It is therefore possible to 
further examine the needs of various market segments that are currently 
recognized by the customer and produce or identify additional needs that 
5 exist, but are not currently recognized by the customer. 

The customer inherently values solutions that satisfy recognized 
needs. The present invention provides a useful tool to identify needs 
that were never even realized by a customer until the Economic Value 
Added of a decision is adequately explained and accepted. 

1 0 Optimization of the Economic Value Added 

Once accurate risk models and their associated risk and 
management control strategies have been applied/ developed in the 
foregoing aspects of the present invention, one of the final steps is to 
determine if the risk model is actually ideal. The risk model approach 

15 once optimized for EVA answers the question of whether there is any 

value to a particular set of control activities using a recognized valuation 
methodology. It enables senior management to assure that scarce 
resources are only allocated in a fashion that provides optimal benefit for 
the entire organization. 

20 Changes and comparisons can also be accomplished by further 

analyzing the effects of various models that may each come close to 
producing the same optimized Economic Value Added through more than 
one approach. The risk model and its associated risk and management 
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controls can then be selected according to additional preferences such as 
available cash flows or scheduling requirements. 

Optimizing the EVATM of Risk Controls 

The last critical element of the present invention includes 
5 completing the risk management method or system through the 

optimization of the economic value added by applying a variety of control 
efforts. This effort requires selecting a mix of management controls and 
risk controls that will maximize the reduction in the exposure with the 
minimum investment in cost and time. Optimization is complicated by 
10 the fact that separate controls are often interdependent with regard to 

their ability to reduce the risk exposure. 

In order to proceed with a solution to this problem the present 
inventors have categorized the necessary controls as management risk 
controls (Mi) and specific risk controls (Sj), wherein the total set of risk 
1 5 controls (U) collectively includes both types. 

Management risk controls (Mi) are those controls that are part of 
the risk management system and effect the whole universe of risk. These 
controls also influence the effectiveness of other controls that are 
targeted at specific risks. An example would be a safety audit program. 
20 Specific risk controls (Sj) are those controls that are targeted at 

specific risks. These controls are dependent upon the management 
controls, but are independent of other risk controls. An example would be 
provision of lift tables to reduce the likelihood of back injury arising out 
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of the lifting risk. 

The present invention incorporates a methodology, system, and 
software for selecting a set of controls that optimizes the economic value 
added within a given budget. The methodology needs to be theoretically 
rigorous and practical in its application. 

The present invention considers the master set of risk controls, U, 
that is applied to a set of risk exposures, E R ( el, e2, e3, ...er), where r=the 
total number of risk exposures, associated with a set of risks 
R(rl,r2,r3,...rq ), where q = the total number of risks. The total exposure, 
Et is: 

Et = S er , where 1 < r < q 

Risk exposure er is defined as the product of the risk likelihood 
(i.e., the likelihood of the occurrence, for instance, 50% chance that 
worker will injure his/her back without proper load handling training) 
times the sum of the worst case severity for all consequence of that risk 
(i.e., $25,000 in worker's compensation and medical expenses). 

Now the master set of risk controls U is separated into a set of 
management risk controls Mi that operate (work to reduce) on the entire 
set of risk exposures, Er,. This set of management risk controls, Mi (mi, 
xri2, m.3, ... m n ), where n = the total number of management risk controls; 
and a set of specific risk controls that operate on a specific risk 
exposure, er, call it S, (si,S2,s 3 , ...sj),j = the total number of risk controls. 
As aforementioned, the master set of risk controls U is defined by the 
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sum of the sets of management risk and specific risk controls: 

U= Mi + Sj 

Mi and S/ are interdependent with regard to their ability to reduce Et. In 
other words, specific risk controls are not fully effective without 
5 management risk controls. Management risk controls have limited 

impact without well thought out and implemented risk controls. For 
instance, management risk controls operate at two levels on the risk 
exposure. They have a small direct effect on the entire risk exposure, Et. 
They also work to make the individual risk controls sj of each set of 

1 0 specific risk controls Sj, operate more efficiently. 

The first effect on the risk exposure Et is di, which produces a 
reduction of the entire risk exposure Et and is quantified as a % 
reduction to be applied to Et. The second effect on the risk exposure Xi, 
is measured and quantified as an effectiveness % to be multiplied times 

15 the 100% effective reduction % ,bj, of each individual risk controls, sj, 

which are defined hereinafter. This effectiveness multiplier "xi", or 
second effect on the risk exposure, Xi is described in greater detail 
hereinafter. 

There are two additional factors that the present inventors have 
20 incorporated into the present invention. In order to optimize the benefit 

obtained from a particular set of controls, the cost of the control (ci) and 
the time necessary to implement the control (ti) are considered. Note 
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that in the preferred embodiment, U is a measure of the time duration to 
complete the task and not a measure of the man-hour cost required to 
complete the task. 

Therefore, the above additional factors collectively are represented 
by considering each management risk control to be defined by four 
parameters Mi(di,Xi,Ci,ti). 

Mi = Management risk controls 

di = First Effect on Risk Exposure, ET, % reduction 

Xi = Second Effect on Risk Exposure, ET, % reduction (effectiveness 

multiplier, really varies the effectiveness of the risk control 

benefit, bj, of individual risk controls) 
Ci = Individual Cost of the Control, $ 
ti = Time Duration, time necessary to complete the task 

Specific risk controls, Sj, work at a single level on specific risk 
exposures, e r . The benefit to be obtained by the risk control, by, is defined 
as a % reduction in exposure that could be obtained by the risk control, 
if it were 100% effective over the entire life of the control. For example, if 
the control works perfectly as designed one might expect a 50% reduction 
in the exposure. This risk control benefit "bj" is the same benefit that is 
interdependent on the Second Effect on Risk Exposure, Xi defined 
previously. As with management risk controls two other factors are 
important in evaluating the value of the control, cost (sj and time {rj). 

Accordingly, each specific risk control can therefore be defined by 
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three parameters: 

Sj{bj, Zj,Tj). 

For a particular subset o/ management risk controls, M(mi,m3,m 5 ,...ma) 
and specific risk controls, S(s2,ss, S6, sg, . . .s n ) we can calculate the 
decrease in exposure, AE, as follows: 

AE = [(di +d 5 +ds+ ...+d a ) • Et] + [(xi + x 3 + x 5 + ...+ x a ) • (b 2 »e 2 +b 5 «e 5 + b 6 "e 6 
+ bg»eg + ... + b n *en)] 

Now note that three boundary conditions apply. (1) A management 
system cannot make an activity more than 100% effective, 2 Xi <1; (2) A 

system cannot reduce the total exposure below zero, AE < Et; and (3) no 
matter how many risk controls one applies to a risk exposure, it cannot 
be reduced below zero: 

(1) 2) xi<l, 

(2) AE < E T 

(3) (X1+X3+X5+ . . .+ x«) • (bi»e m ) < e m , wherein bi is the 
benefit parameter of the set of risk controls operating on a risk 
exposure "e m ." 

The cost of the controls is therefore defined by: 

Cost = (Cl + C3 + C5 + - . .+C a ) + [&2 + £5 + £6 + £9 + . . .£n) 

Further, Cost is controlled by the following boundary condition: 
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Cost < Control Budget 
As aforementioned, there were two different time parameters defined 
hereinabove, ti and Tj. The total time required to implement the controls 
is the controlling parameter or value of these two. In other words, the 
5 greatest value of ti or Tj applies. 

The application of this model in the present invention is an 
invaluable tool in efforts to solve the optimization problem and to 
incorporate EVA analysis into the model. 

The first step is to specify for a particular set of risks, R p , a set of 

1 0 potential management risk controls, M p , and a set of potential specific risk 

controls, S p . The above model assumes that management risk controls 
have an equal effect upon all specific risk controls and that a specific risk 
control is specific to a single risk. These assumptions will influence how 
management and specific risk controls are defined. 

15 If one examines the equation for AE, one can see that a system with 

no management controls has a AE = 0, regardless of the number of risk 
controls that are in place. Since a situation where management has a 
complete lack of interest in risk exposures is rarely encountered, only 
three levels of basic non- systematic management control are defined 

20 (more or less can be added/ removed as desired): 

mi = basic management interest, the minimum level of 

management involvement, where Ck = .01 and Xi = . 05 
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m.2 = average management interest, where da = .02 and X2 = .15 

m3 = high management interest, where ck =.03 and X3 =.25 

Every set of management risk controls will include one of the above 
basic non- systematic management controls applied to the overall risk 
5 model. Note that at this point in time the values of cfc and Xi are 

arbitrary. They are only established to reflect that there is some basic 
value even in ad hoc management efforts. As desired by the operator 
applying the present invention, these values can be preset and remain 
unchanged for a particular organization or enterprise, and the operator 
10 can select the parameter or variable each time the present invention is 

applied. 

Having listed out M p and S p , the next step is to establish the values 
of the control parameters di, Xi, a, % h, So, and tj. Now the cost and time 
parameters are unique to each situation and must be established for 

15 each application. However, it would be helpful, and is included within 
the details of the present invention, that preset estimates or industry 
norms for these values can be utilized as baseline figures. 

One of the means of implementing the present invention, involves 
the development of a computerized database(s) that capture the cost and 

20 time parameters along with such factors as would allow one to estimate 

the parameters for different situations. Included in the database are 
values of all of the various control parameters, with individual values of 
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each parameter being associated with respective risk and management 
controls. 

Initially, before the present invention has enjoyed the 
customization and ability to adapt and incorporate "real world" data and 
5 values of the various control parameters aforementioned, the nearly 
endless types of risk control and management control strategies that are 
presently applied in modern business systems along with their control 
parameters can be created and preset, baselined, or pre-established 
according to various market and industry classifications that might be 

10 available through corporate experiences, customer/ client interview and 

surveys, etc. . . . These values and information can be utilized to develop 
a knowledge base, in the form of tables or computerized databases that 
lend themselves to editing and variation in accordance with client 
customization and changes in approach. 

1 5 For example, the present inventors have pre-established by class of 

business the values of cU, Xi and bj, so that the values have some 
statistical validity. This can be accomplished by surveys, customer 
feedback, accident reports, insurance claims, etc. across several 
organizations in a particularly market. In addition, the organizations 

20 applicable to the present invention are not limited to corporations or 

private endeavors, but can equally be applied to any organization, public 
or private, non-profit, governmental agencies, corporations, or small 
entity companies, etc.... 
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The present invention incorporates all of the aforementioned 
information, and applies it into a unique form of EVA analysis to further 
optimize the model(s). For example, the model as aforementioned is 
structured around percentage reductions in exposure. However, 
5 exposure is not defined with regard to its time span, i.e. the likelihood is 

not specified for a particular period of time. In estimating the exposures 
the present inventors apply consistent time periods for the defining the 
likelihood of success. In the following example and illustration of the 
EVA methodology of the present invention, an annual time span for the 

1 0 likelihood of success is used. 

In order to maintain some practical simplicity in the following 
example, it is assumed that all factors involved in selecting a change in 
controls are constant over the time period that the investment is being 
evaluated over. However, with the benefit of computer-aided analysis, it 

15 will be obvious that the following methodology, even in it final form 

presented hereinafter, can be further expanded on to incorporate 
additional parameters, controls of varying time duration, and controls 
which associate cyclical trends as opposed to a single reduction in 
exposure (i.e., % reduction might vary from 19% to 45% over various time 

20 periods or might achieve a sinusoidal/ cyclical responses). 

In the following example, when evaluating a control improvement 
over a five-year period, then the exposures and control parameters will be 
held constant over the five-year period. 
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The safety improvement discussed hereinabove introduced portions 
of the methodology that is hereinafter developed in greater detail. 

The AEVA for safety improvements is: 

AEVA J s = {(([AOE p cs - AOE p «] + [RC p cs - RC 1 ^] - OES^). (1-CTR)}- [C s js • C*] 
5 where 

[AOE p cs - AOE p ts] is the efficiency gain in the general productive 
system, 

[RC P CS - RC p is] is the reduction in risk cost, 

OE s is, is the annual operating expense required for the safety 
1 0 improvement, 

CTR is the corporate tax rate, 

C s is is the capital cost of the safety improvement and 
C* is the cost of capital rate, 

However, this equation can be generalized and applied for any set 
15 of risk improvements as follows: 

AEVA IR = {(([AOE P cr - AOE p ir] + [RC P cr - RC p ir] - OE R j r )« ( 1 -CTR)} - [C R ir • C*] 

Now for a management risk control rm being evaluated over y years 
C R ir = a and OE R ir = a /y 

20 Note that the management control cost must be set equal to the total 

operating expense and capital cost for the y period of years. Also note 
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that y must be constant for all management and specific risk controls 
being considered. 

The reduction in risk cost is set equal to the reduction in total exposure. 
[RC p cr - RC p ir ] = di • E T 

5 If the Corporate Tax Rate and the Cost of Capital are known (or simply 
supplied as default values), then the general equation becomes 

AEVA IR = {(([AOE p cr - AOE p tr ] + [di • E T ] - a /y )• (1-CTR)}- [a • C*] 

However, the current optimization model fails to account for any 
improvements in the efficiency of the general productive system, [AOE p cr - 
10 AOEPfr]. Therefore, a fifth parameter is added to the management risk 

controls, pi, and a fourth parameter is added to the specific risk controls, 
Qj. Generally the effect on the general productive system efficiency will be 
negligible. However, both parameters are defined in terms of dollars 
saved per year. 

15 Therefore, when considering each management risk control to be 

defined by five parameters Mi (pi,di,Xi,G,ti) and each specific risk control to 
be defined by four parameters S/ {Qj, bj,£j,Tj\. In the revised model for a 
particular subset of management risk controls, M (mi,m3,m5,... m a ) and 
specific risk controls, S(s2,S5,S6,sg,...Sn) we can define the total benefit AB, 

20 as the general productivity gain AP, plus the decrease in exposure AE as 

follows: 
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AB = AP + AE, where 

A E = [(di + d 3 + d 5 + . . .+d a )» E T ] + (xj + x 3 + x 5 + . . .+x a ) • 
{b2*C2 + hs'es + h6*ee + bg'eg + . . .+b n , e n ) 

and, 

AP =(pl+p3+p5+. . - + pa) + (X1+X3+X5+. . . +X a ) • (62+65+66+69 + . . .+6 n ) 

Similarly, three boundary conditions still apply. Wherein, (1) A 
management system cannot make an activity more than 106% effective, 

£ Xi <1; (2) A system cannot reduce the total exposure below zero, AE < 

Et; and (3) no matter how many risk controls one applies to a risk 
exposure, it cannot be reduced below zero: 

(1) Yi Xi <1, 

(2) AE < E T 

(3) (X1+X3+X5+ . . .+ xi) • (£>i»e m ) ^ era , wherein bi is the 
benefit parameter of the set of risk controls operating on a risk 
exposure "e m ." 

The cost of the controls remains unchanged and the total time required 
to implement the controls is still governed by the controlling time 
parameter, i.e., the greater value of ti or t,. Accordingly, 

Cost = (Cl + C 3 + C 5 + . . . + C a ) + (82 + £5 + £6 + £9 + . . -£n) 

where, Cost < Control Budget 
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Returning to the calculation of A EVA IR m for a management risk control, 
AEVA IR m = {([AOEP cr - AOEPir] + [di • E T ] - a /y )• (1-CTR)} _ [a • C*] 
where [AOE p cr - AOE p ir] = pi 
or 

5 AEVA IR m = {( pi + [di * Et] — Q /y )• (1-CTR)} - [a • C*] 

Therefore, for an individual specific risk control sj being evaluated over y 
years, 

C R ir = £j and OE R ir = q /y 
The reduction in risk cost is set equal to the reduction in exposure, so 
1 0 that 

RCP cr - RC P ir = (XI+X3+XS+. . ■ +X SL ) • (tff%) 
[AOE p C r - AOE P ir] = (X1+X3+XS+. ■ ■+X & ) • 0j 

If given the Corporate Tax Rate and the Cost of Capital, then 

AEVA IR m = {{{[(xi+X3+X5+. . .+Xa) • 0j/ + [x\ + X3 +X5 + . . .+x a ) • fbj *ej\ - [sj /yj) 
15 • (1-CTR)} - [q • C*] 

Optimization of the EVA Through Integration of Risk and 
Management Controls 

An examination of the economic value added (EVA) of the above 
methodology, indicates that the EVA contribution of a risk control can 
20 only be evaluated in the context of the management risk controls that are 

in place or currently being implemented. In addition, the introduction of 
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a new management risk control improves the effectiveness of not only- 
new risk controls, but also the existing risk controls. 

Therefore, the A I EVA of the new set of management risk controls 
and specific risk controls being proposed as part of a risk improvement 
5 can only be calculated by comparing the AEVA of the current set of 

controls to the AEVA of the current set plus the new controls. 

The total AEVA cr t for the current set of controls is equal to the 
sum of AEVA CR m for all current management risk controls and A EVA CR C 
for all current specific risk controls. 
1 0 The total A EVA IR C for a risk improvement for all risk controls after 

implementation of the new controls becomes (in simplified form): 

A !EVA = A EVA IR r - A EVA 

Applying this principle to a current (initial set of management risk 
controls) set of management controls M c (m2,ms,m6) and a current set of 
15 specific risk controls, S c (si, S3, S4, S5) and a proposed improved set of 

management risk controls, M I (m 3 ,m4,m5,m6,m7,m8) ii and an improved set 
of specific risk controls, S I (si,S3,S4,S5,S6,S7,S8,S9), then the equation 
becomes: 

A l EVA = [{{( [p 3 +p4+ps+p6+p7+ ps] + [ (d3+d4+d5+d 6 +d7+d 8 ) • Et] 

20 - [(C3+C 4 +C 5 +C6+C7+C8)/y]) • (1- CTR)} 

[(C3 + C4 + C5+C6+C7+C8)« C* ]} m 
+ {{([(X3+X4+X 5 +X6+X7+X 8 ) • (61+03+04+95+96+67+68+09)] 
+ [(X3+X4+X5+X6+X7+X8) • 
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(bi»ei+b3«e3+b4»e 4 +b5«e5+b6»e6+b7»e7+b8»e8+b9*e9)] 

- [(£1 + £3+ £4+ £5+ £6+ £7+ £8+ £9)/y]* (1- CTR)} 

- [(£l + £3+ £4+ £5+ £5+ £7+ £8+ £©)• C*]} c ] Imp 

[{{( [p2+p5+pe] + [ (d 2 +d 5 +d 6 ) • E T ]- [(c 2 +c 5 +c 6 )/y]) 

• (1- CTR)} - [(C2+C5+C6)- C* ]} m 

+ {{([( X3+X4+X5+X6+X7+X8) • (01+93+94+95+66+07+98+99)] 
+ [(X3+X4+X5+X 6 +X7+X 8 ) • 

(bi»ei+b3«e3+b4»e4+b5«e5+b6»e6+b7 , e7+bs»e8+b9 , e9)] 

- [(£1 + £3+ £4+ £5+ £5+ £7+ £8+ ©9)/y]« (1- CTR)} 
[(£1 + £3+ £4+ £5+ £6+ £7+ £8+ £&)• C*]} c ] Cur 

where, Imp designates the Improved set of controls and 
Cur designates the Current set of controls 

This equation can be further generalized and applied to calculate 
the change in EVA of a proposed improvement, A ! EVA, as 

A IEVA = [{{( [L Pi ]i + [ (Ldi)i • Et]- [(EcOVy]) • (1- CTR)} - [(Eci)i . C* ]U + 
{ { ([ (Exi)i . (E9i)i] + [ (Exi)i . (Ebj.ej)M - [ (Se/)/y]) • (1- CTR)} 

- [(Esjl). C*]}c] Imp 

[{{( [Z Pi ]C + [ (Edi)c . E T ]- [(Sci)C/y]) . (1- CTR)} - [(Z Ci )C . C* ]} m + 
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{ { ([ (Exi)c . (E0i)Cj + [ (Exi)c . (Ebj.ej)C] - [ (EejC)/ y]) • (1- CTR)} - 
[(EejC). C*]} c ] Cur 

Accordingly, the present inventors have succeeded in expressing the A 
! EVA in terms of the risk exposure, a set of control parameters, the 
5 control budget, the corporate tax rate and the cost of capital rate. The 
optimal set of controls is that set having the greatest A ! EVA. 

The present invention therefore relies on the creation, storage, 
reuse, and modification of risk and management controls in order to 
create a knowledge base for risk models. Table I and Table II 

10 demonstrate sample applications of the aforementioned methodology 

wherein Management Risk and Specific Risk Controls are defined along 
with their respective control parameters. 

A system according to one preferred embodiment of the present 
invention would include a computerized database for storing and editing 

1 5 risk models, wherein the risk models are classified by industry type, 

organizational structure, and functional segments within each industry 
type. Additional classifications can be incorporated into the knowledge 
base. For instance, the risk models can be developed and classified 
according to their respective countries. For instance, a company or 

20 organization operating within countries that belong to the European 

Union may be subject to unique codes, tax rates, management/ risk 
control sets, etc. 
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As seen in the foregoing Tables (I - II), any risk model can be built 
by selecting pre-selected risk and management controls. However, if the 
knowledge base is inadequate for a particular task, the database should 
be fully capable of allowing an operator to manipulate existing controls 
5 and to add/ edit additional controls (risk or management). Furthermore, 

the same risk control may have different parameters for separate 
organizations or functional segments. Accordingly, an operator may wish 
to simply adjust the values associated with a pre-existing risk or 
management control. 

10 As further seen in the accompanying Tables, the exposures 

associated with each risk are also defined within the computerized 
database. If possible, a baseline of unit exposures that can be extended 
against some scaling factor may be used initially. As the operator learns 
more about a particular client or industry, then the specific parameters 

15 associated with each control can be further optimized. 

Figure 4 shows a flow chart of a methodology according to an 
embodiment of the present invention. Figure 5 shows a flow chart of a 
portion of the methodology shown in Figure 4. Figure 6 shows a flow 
chart of a portion of the methodology shown in Figure 4. Figure 7 shows 

20 a flow chart of a portion of the methodology shown in Figure 4. Figure 8 

shows a flow chart of a portion of the methodology shown in Figure 4. 

As seen generally in Figure 4, one embodiment of the present 
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invention is shown that incorporates several steps in the process of 
defining an optimal client risk control system. When the process of 
optimization of a set of risk control begins (100), the first step required is 
to identify and measure applicable client risks (200), then to create and 

5 customize risk control models (300) based on the client risks identified in 

the previous step (200). The client's control budget is then optimized by 
one of two approaches: optimization of a control system within a given 
budget (400) or optimization of a control system and budget (500). Upon 
completion of either of these approaches, the optimal client risk control 

0 system can then be selected. The individual portions of the methodology 

according to an embodiment of the present invention will be described 
hereinafter with reference to the accompanying figures. 

As seen in Figure 5, identification and measuring of risks 
applicable to each client can involve several complicated and detailed 

5 steps. In order to create an applicable, client- specific risk profile, the 

operator must create and store lists of parameterized risks that are 
applicable to a particular client. If current risks already stored within a 
given knowledge base satisfy the client's' objectives and/ or 
characteristics, this step is reduced to a simpler process of simply 

0 extracting those risks that are predefined. However, it is more likely that 

a client's objectives will require the operator of the present invention to 
create and store lists of parameterized risks based on the client's 
individual characteristics. 
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For instance, factors considered in modeling client risk profiles 
may include the industry type, organizational structure, 
organizational/ client objectives and functional segments within each 
industry type. The operator at this point in the process may find it 
advantageous to ensure that a corresponding risk has been identified for 
each of the client's objectives. If a risk has not been identified, then it is 
more likely than not that the operator/ client still needs to identify the 
risk associated with the client objective. 

Once an operator determines that all of the applicable risks have 
been identified and measured, the operator inputs client characteristics 
and applies appropriate scaling factors. Tables I and II of the present 
application, help to demonstrate some of the applicable management risk 
and specific risk controls and their associated parameters and 
characteristics. The operator can then calculate and classify a client's 
risk exposures (for each identified risk in the client risk profile) based 
upon the scaled client risk profile just created. 

Accordingly, the operator can then create and store client specific 
risk models. For a specific client, the operator has identified and 
measured all of the applicable client-specific risks once a client 
composite risk model (201) has been created and stored that requires no 
further adjustment and incorporates all of the actual risks affecting an 
individual client. 

Once the client composite risk model (201) has been created 
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(objective of step 200), the operator must create and customize all 
corresponding risk controls that work to reduce a client's risk exposures. 
As seen in more detail in Figure 6 and discussed hereinabove, the risk 
control models are created from parameterized sets of Management Risk 
Controls (Mi) and Specific Risk Controls (Sjj. In this step (300), the 
operator must create and store sets of both types of risk controls in order 
to create the master set of risk controls (U). 

This involves creating and storing (if not already in the knowledge 
base or database) sets of parameterized Management Risk Control Models 
(Mi) and Specific Risk Control Models (S,) for every risk model identified in 
the Client Composite Risk Model (201) created in the previous step (200). 
The operator then applies client specific scaling factors and time 
parameters to the control models [ for instance, Mi(pi,d i} xi,Q,ti) and Sj (9j, 

The operator and/or client can then select and determine which 
control models must be included or excluded from the final Risk Control 
System (301). This is accomplished by at least one of the two processes 
shown in more detail in Figures 7 (400) and Figure 8 (500). At this 
branch in the inventive process, the operator must determine if the client 
wishes to optimize the final Risk Control System (301) for a given budget 
(400) or if the budget amount is part of the optimization output (500). 

As seen in Figure 7, the control budget amount may already be 
preset or limited for the client. In this case, the operator creates and 
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stores a first Risk Control Model (302) for the Client Composite Risk 
Model (201). The operator then can calculate and store the economic 
value added of the first Risk Control Model (302). The operator can then 
create a comparative /additional (i.e, different than the first model 302) 
5 Risk Control Model (303) for the client risk. This allows the operator to 

calculate and store the economic value added of additional (as many as 
desired by the client/ operator) risk control models incorporating various 
control strategies, emphasizing one client objective over another, etc ... . 
The operator ensures that all of the additional and comparative Risk 

10 Control Models (302, 303) have been evaluated and the client/ operator is 

thereby well suited to select the final Risk Control System (301) that 
produces the greatest economic value added. This comparative process 
has been already discussed in a preferred embodiment hereinabove (See 
Optimization the EVA through Integration of Risk and Management 

15 Controls). 

Alternatively, the client/ operator may have the advantage of being 
able to first select the final Risk Control System (301) and then allocate 
funding for its implementation. One of ordinary skill in the art will 
appreciate that the alternative process defined in Figure 8 (500) is very 

20 similar to that shown in Figure 7 (400), with the exception of the point in 

the process where the control budget is introduced. Optimization of the 
Control System and the budget is accomplished in the second approach 
(500). In the first approach, the operator is working within a predefined 
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budget. 

In addition, the present invention will incorporate a computer- 
based data processing system to enable an operator to create the final 
risk control system providing a maximum economic value, wherein the 
5 system will comprise a means for storing risk models, wherein the risk 

models include risks and corresponding risk exposures. The system 
must include means for storing specific risk control models and means 
for storing management risk control models further classified and 
arranged by at least industry type, organizational structure, and 

10 functional segments within each industry type. The system should 

further include means for developing risk control systems by combining 
the specific risk and management risk controls into at least one client 
specific risk control system. 

The various means for implementing the aformentioned 

15 computerized data processing system can incorporate a series of 

electronic databases or a single database that incorporates all of the 
information into a large tabular format, with the fields permitting 
characterization of the data into risk models, specific risk controls and 
management risk controls. One of ordinary skill in the art will appreciate 

20 that a standalone system can be created using known programming 

languages (i.e., Dbase) and database software or the data processing 
system can incorporate links to or operate within one of several known 
operating systems or software suites (i.e., MS Access, MS Office, etc. . .). 
In addition, the system must incorporate a means for determining 

25 the optimum risk control system by calculating the Economic Value 

Added (EVA) of each client specific risk control system so that said 
operator can select the optimum risk control system that demonstrates a 
maximum Economic Value Added (EVA). This can be accomplished by 
any known computer aided mathematical analysis, stored functions 

30 within a database structure, or dedicated microprocessor. 

In addition, it is a feature of the present invention that a processor- 
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readable article of manufacture be utilized to store the method of the 
present invention. This can be a program having embodied thereon 
software comprising a plurality of code segments that implements the 
method of any one or all of the steps defined by Figures 4-8, in order to 
5 enable an operator to optimize a selection of risk controls based upon 

maximizing the economic value added within a given risk control budget, 
wherein 

The invention being thus described, it will be obvious that the 
same may be varied in many ways. Such variations are not to be 
10 regarded as a departure from the spirit and scope of the invention, and 

all such modifications as would be obvious to one skilled in the art are 
intended to be included within the scope of the following claims. 
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Claims 

What is claimed is: 



1 1 . A method for optimizing a selection of risk controls based upon 

2 maximizing the economic value added within a client's given risk control 

3 budget, wherein said method comprises the following steps: 

4 identifying and measuring risks; 

5 creating at least one risk control system based upon said risks; 

6 determining the economic value added of each risk control system; 

7 and 

8 selecting an optimal risk control system that has a maximum 

9 economic value added based upon the determining step. 

1 2. The method according to claim 1, wherein the step of identifying 

2 and measuring risks further includes the steps of 

3 creating and storing lists of parameterized risks; and 

4 preparing a client risk profile, said client risk profile including said 

5 lists of parameterized risk that are applicable to said client. 

1 3. The method according to claim 2, wherein said lists of 

2 parameterized risks are classified and arranged by at least industry type, 

3 organizational structure, organizational objective, and functional 

4 segments within each industry type. 

1 4. The method according to claim 2, wherein the step of identifying 

2 and measuring risks further includes the steps of 

3 inputting client characteristics and applying scaling factors to said 

4 client risk profile; and 

5 measuring said risks based upon each risk's exposure. 



1 



5. The method according to claim 3, wherein the step of identifying 
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2 and measuring risks further includes the steps of 

3 inputting client characteristics and applying scaling factors to said 

4 client risk profile; and 

5 measuring said risks based upon each risk's exposure. 

1 6. The method according to claim 4, wherein said risk exposures 

2 are estimated from an analysis of loss distribution functions of each risk. 

1 7. The method according to claim 5, wherein said risk exposures 

2 are estimated from an analysis of loss distribution functions of each risk. 

1 8. The method according to claim 4, wherein the step of identifying 

2 and measuring risks further includes the steps of 

3 creating and storing parameterized models of the risk exposure of 

4 said risks, wherein said parameterized models are scaleable based upon 

5 various exposure units; and 

6 creating and storing a client composite risk model based upon said 

7 parameterized models of the risk exposure of said risks, wherein said 

8 client composite risk model incorporates all of said risks affecting said 

9 client. 

1 9. The method according to claim 7, wherein the step of identifying 

2 and measuring risks further includes the steps of 

3 creating and storing parameterized models of the risk exposure of 

4 said risks, wherein said parameterized models are scaleable based upon 

5 various exposure units; and 

6 creating and storing a client composite risk model based upon said 

7 parameterized models of the risk exposure of said risks, wherein said 

8 client composite risk model incorporates all of said risks affecting said 

9 client. 
10 
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1 10. The method according to claim 9, wherein the client composite 

2 risk model is based upon client specific characteristics of at least 

3 industry type, organizational structure, organizational objectives and 

4 functional segment within each industry type. 

1 11. The method according to claim 10, further including the step 

2 of calculating a total risk exposure, Et, for said client composite risk 

3 model. 

1 12. The method according to claim 1, wherein the step of creating 

2 at least one risk control system further includes the steps of 

3 creating and storing sets of parameterized management risk 

4 control models for said risks; 

5 creating and storing sets of parameterized specific risk control 

6 models for said risks; and 

7 combining said sets of parameterized management risk and specific 

8 risk control models into at least one risk control system. 

1 13. The method according to claim 11, wherein the step of creating 

2 at least one risk control system further includes the steps of 

3 creating and storing sets of parameterized management risk 

4 control models for said risks; 

5 creating and storing sets of parameterized specific risk control 

6 models for said risks; and 

7 combining said sets of parameterized management risk and specific 

8 risk control models into at least one risk control system. 

1 14. The method according to claim 13, wherein said final risk 

2 control system includes sets of parameterized management risk and 

3 specific risk control models for each risk model included in said client 

4 composite risk model. 
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1 15. The method according to claim 12, each parameterized set of 

2 management risk controls, Mi, includes parameter values, said parameter 

3 values include 

4 a production efficiency value, pi, stated per a pre-defined unit 

5 characteristic of the client for the production efficiency value, pi-unit; 

6 a direct exposure reduction factor, dr, 

7 a management efficiency factor, xq 

8 a cost factor, a, state per a pre-defined unit characteristic of the 

9 client for the cost factor, a-unit; and 

10 a time interval, U, required to implement each management risk 

1 1 control, rrn. 

1 16. The method according to claim 12, each parameterized set of 

2 specific risk controls, Sj, includes parameter values, said parameter 

3 values include 

4 a production efficiency factor, Gj, stated per a pre-defined unit 

5 characteristic of the client for the production efficiency value, Oj-unit; 

6 a percent reduction in exposure, bj, obtained by each specific risk 

7 control, sj, if said risk control operates correctly over an entire life of each 

8 risk control; 

9 a cost factor, sj, stated per a pre-defined unit characteristic of the 

1 0 client for the cost factor, sj-unit; and 

1 1 a time interval, rry, required to implement each specific risk control. 

1 17. The method according to claim 14, each parameterized set of 

2 management risk controls, Mi, includes parameter values, said parameter 

3 values include 

4 a production efficiency value, pi, stated per a pre-defined unit 

5 characteristic of the client for the production efficiency value, pi-unit; 

6 a direct exposure reduction factor, di\ 
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7 a management efficiency factor, xc, 

8 a cost factor, a, state per a pre-defined unit characteristic of the 

9 client for the cost factor, a-unit; and 

10 a time interval, t : , required to implement each management risk 

11 control, rrn. 

1 18. The method according to claim 14, each parameterized set of 

2 specific risk controls, S/, includes parameter values, said parameter 

3 values include 

4 a production efficiency factor, 6j, stated per a pre-defined unit 

5 characteristic of the client for the production efficiency value, 6j-unit; 

6 a percent reduction in exposure, bj, obtained by each specific risk 

7 control, sj, if said risk control operates correctly over an entire life of each 

8 risk control; 

9 a cost factor, Sj, stated per a pre-defined unit characteristic of the 

1 0 client for the cost factor, sj-unit; and 

1 1 a time interval, mj, required to implement each specific risk control. 

1 19. The method according to claim 18, each parameterized set of 

2 specific risk controls, Sj, includes parameter values, said parameter 

3 values include 

4 a production efficiency factor, 6j, stated per a pre-defined unit 

5 characteristic of the client for the production efficiency value, Oj-unit; 

6 a percent reduction in exposure, bj, obtained by each specific risk 

7 control, s/, if said risk control operates correctly over an entire life of each 

8 risk control; 

9 a cost factor, e jt stated per a pre-defined unit characteristic of the 

1 0 client for the cost factor, Sj-unit; and 

1 1 a time interval, mj, required to implement each specific risk control. 
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1 20. The method according to claim 19, wherein the step of 

2 determining the economic value added of each risk control system, 

3 further includes the steps of 

4 calculating the economic value added of each risk control system 

5 with an algorithm which incorporates the parameters associated with 

6 said sets of management risk and specific risk controls; and 

7 selecting a final risk control system that generates a maximum 

8 value of the economic value added. 

1 21. The method according to claim 20, wherein said algorithm is 

2 used to generate the economic value added , A iEVA, between an 

3 improved (Imp) risk control system and a current (Cur) risk control 

4 system, and where CTR is a corporate tax rate, C* is a cost of capital, m 

5 indicates a management control, c indicates a specific risk control, and y 

6 is years, said algorithm is defined as follows: 

7 A iEVA = [{{( [Lpi]i + [ (Ldi)i • E T ]- [(EcOVy]) • (1- CTR)} - [(E Ci )i • C* ]}m + 

8 { { ([ (Exi)i • (Eei)i] + [ (Zxi)i • (Ebj-ejH - [ (5V)/y]) • (1- CTR)} 

9 - [(Eefl • C*]}c] i mp 
10 

1 1 [{{( [E Pi ]c + [ (Edi)c . Et ]- [(Eci)c/ y ]) . (1- CTR)} - [(Eci)c . C* ]}m 

12 + { {([ (Exi)c . (E9i)C] + [ (Exi)c . (Ebj.ej)C] - [ (E £j c)/y]) . (l- 

13 CTR)} - [(E £j C) • C*]} c ] Cur- 
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1 22. A computer-based data processing system to enable an 

2 operator to create a risk control system providing a maximum economic 

3 value, wherein said system comprises: 

4 means for storing risk models, wherein said risk models include 

5 risks and corresponding risk exposures; 

6 means for storing specific risk control models further classified and 

7 arranged by at least industry type, organizational structure, and 

8 functional segments within each industry type; 

9 means for storing management risk control models further 

10 classified and arranged by at least industry type, organizational 

1 1 structure, and functional segments within each industry type; 

12 means for developing risk control systems by combining said 

13 specific risk and management risk controls into at least one client 

14 specific risk control system; and 

15 means for determining an optimum risk control system by 

16 calculating an Economic Value Added (EVA) of each client specific risk 

1 7 control system so that said operator can select the optimum risk control 

18 system that demonstrates a maximum Economic Value Added (EVA). 

1 23. The system according to claim 22, wherein said means for 

2 determining an optimum risk control system is a computerized device 

3 capable of processing mathematical algorithms. 

1 24. A processor-readable article of manufacture having embodied 

2 thereon software comprising a plurality of code segments that 

3 implements the method of claim 1 , in order to enable an operator to 

4 optimize a selection of specific risk controls and management risk 

5 controls into a final risk control system designed to maximize the 

6 economic value added within a client's given risk control budget. 
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Abstract of the Disclosure 

A method and system for selecting an optimal set of management 
and risk controls for a given set of risks within a variable control budget. 
Specifically, optimization according to the present invention is defined 
using a method and system to calculate the greatest reduction in an 
organization's risk exposure with the minimum investment in cost and 
time as measured by the economic value added of the risk system 
change. Risk control models and management risk control models are 
client customized into a risk control system specifically addressing a 
clients applicable risks and their associated exposures. An operator is 
able to determine which risk control system maximizes available 
resources while also reducing an organization's total risk exposure. 
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